MFA Fatigue

MFA fatigue (also called 'MFA bombing' or 'push bombing') exploits the user experience of push-based multi-factor authentication. The attacker, who already possesses the victim's username and password (obtained via phishing or purchase), repeatedly triggers authentication attempts that generate push notifications on the victim's phone. The victim receives dozens of approval requests in rapid succession, often at inconvenient times including late at night.

Fatigued or confused victims may eventually approve a request to stop the notifications, believing it is a system error or IT activity. Some attackers combine the push flood with a phone call or text message impersonating IT support, claiming there is a legitimate system issue that requires the user to approve the notification.

High-profile breaches attributed in part to MFA fatigue illustrate that push-based MFA is not impervious to social engineering. Mitigations include switching to number-matching or context-aware MFA (where the user must enter a code displayed in the authenticator app, eliminating blind approvals), limiting the number of push attempts per session, and using phishing-resistant FIDO2 authentication.